Bandit Level 22 → Level 23

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Commands you may need to solve this level

cron, crontab, crontab(5) (use “man 5 crontab” to access this)

Doing the same thing from last level, we found the following script

cat cronjob_bandit23
* * * * * bandit23 /usr/bin/ &> /dev/null

cat /usr/bin/


mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

I notice whoami give me the current user. In this case bandit22. So I should change that but I wasn’t sure how. Let’s run the script and see what happen.

Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3

So I know if we change from bandit22 to bandit23, we will get a file that have the password for bandit23. The long file name is a hash (md5) from mytarget. Let execute that same line but switch $myname to bandit23. We got another long string and looking at the content of this file in tmp folder gives us the next password.

echo I am user bandit23 | md5sum | cut -d ' ' -f 1

cat /tmp/8ca319486bfbbc3663ea0fbe81326349